mepcotterell/README.md

## README.md

      
    Raw
  

              README.md
            
          
    Fun with tcpdump and hexdump

Here is some information that I've found/discovered from playing around with packets. The following is presented in an adhoc tutorial style. Hopepully you find it interesting.
tcpdump

Something that I found useful was the ability to actually capture the raw UDP packet using tcpdump utility.
In the following example, we'll capture a DNS query packet and save it to a file.
Open up two terminal windows. In one window, type the following:
$ tcpdump udp -e -i eth0 -nn -vvv -c 1 -w dig.raw

The -c 1 option means that we only want to capture a single packet. The -w dig.raw options means that we want to dump the bytes of the packet we receive to dig.raw.
In the other window, type the following:
$ dig @8.8.8.8 www.uga.edu

In the first window, you should notice that tcpdump captured a packet and quit. The contents of that packet are now in dig.raw.
Note: In the commands above, you may need to change eth0 to whatever interface you're actually using.
hexdump

After looking around online and playing with the format strings myself, I came up with some pretty neat ways to display a file using the hexdump utility. You can check out the commands in the other files in this gist. Also, they should work with any file (not just packet dumps).

  
## dig.raw.hexdump1.md

      
    Raw
  

              dig.raw.hexdump1.md
            
          
    Good Looking Bytes

The following command will output in three "|"-deliminited columns. The first column is the byte offset. The second column is 8 bytes following that offset, written as unsigned hexadecimal values. The Third column is the same 8 bytes written as ASCII characters. You can change the number of bytes that are displated on each line by changing both occurances of the number 8 in the command with whatever number you wish to use.
$ hexdump -v -e '"%07.1_ax | "' -e '8/1 "0x%02x " " |"' -e '8/1 " %3_c"' -e '"\n"' dig.raw 

The above command produces the following:
      0 | 0xd4 0xc3 0xb2 0xa1 0x02 0x00 0x04 0x00 | 324 303 262 241 002  \0 004  \0
      8 | 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 |  \0  \0  \0  \0  \0  \0  \0  \0
     10 | 0xff 0xff 0x00 0x00 0x01 0x00 0x00 0x00 | 377 377  \0  \0 001  \0  \0  \0
     18 | 0x65 0x5c 0x2a 0x51 0x21 0xa6 0x02 0x00 |   e   \   *   Q   ! 246 002  \0
     20 | 0x47 0x00 0x00 0x00 0x47 0x00 0x00 0x00 |   G  \0  \0  \0   G  \0  \0  \0
     28 | 0x00 0x12 0xf2 0xef 0x8b 0x00 0x52 0x54 |  \0 022 362 357 213  \0   R   T
     30 | 0x00 0xdd 0x00 0x11 0x08 0x00 0x45 0x00 |  \0 335  \0 021  \b  \0   E  \0
     38 | 0x00 0x39 0x9b 0xc1 0x00 0x00 0x40 0x11 |  \0   9 233 301  \0  \0   @ 021
     40 | 0x8a 0xc6 0xac 0x11 0x98 0x0b 0x08 0x08 | 212 306 254 021 230  \v  \b  \b
     48 | 0x08 0x08 0xec 0xee 0x00 0x35 0x00 0x25 |  \b  \b 354 356  \0   5  \0   %
     50 | 0x11 0x16 0x5d 0x9d 0x00 0x00 0x00 0x01 | 021 026   ] 235  \0  \0  \0 001
     58 | 0x00 0x00 0x00 0x00 0x00 0x00 0x03 0x77 |  \0  \0  \0  \0  \0  \0 003   w
     60 | 0x77 0x77 0x03 0x75 0x67 0x61 0x03 0x65 |   w   w 003   u   g   a 003   e
     68 | 0x64 0x75 0x00 0x00 0x01 0x00 0x01 0x   |   d   u  \0  \0 001  \0 001    

Note: I like using this one when I diff two packets because it lets me quickly determine which bytes differ.

  
## dig.raw.hexdump2.md

      
    Raw
  

              dig.raw.hexdump2.md
            
          
    Simple Byte String

The following command simply displays the byte string for the raw packet contained in dig.raw.
$ hexdump -v -e '1/1 "X%02x"' dig.raw | sed 's/X/\\x/g'

The above command produces the following:
\xd4\xc3\xb2\xa1\x02\x00\x04\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xff\x00\x00\x01\x00\x00\x00\x65\x5c\x2a\x51\x21\xa6\x02\x00\x47\x00\x00\x00\x47\x00\x00\x00\x00\x12\xf2\xef\x8b\x00\x52\x54\x00\xdd\x00\x11\x08\x00\x45\x00\x00\x39\x9b\xc1\x00\x00\x40\x11\x8a\xc6\xac\x11\x98\x0b\x08\x08\x08\x08\xec\xee\x00\x35\x00\x25\x11\x16\x5d\x9d\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x03\x77\x77\x77\x03\x75\x67\x61\x03\x65\x64\x75\x00\x00\x01\x00\x01


## dig.raw.hexdump3.md

      
    Raw
  

              dig.raw.hexdump3.md
            
          
    Python 3 Byte String

The following command displays the Python 3 byte string for the raw packet contained in dig.raw.
$ hexdump -v -e '1/1 "X%02x"' digg.pcap | xargs -I{} echo "b'" {} "'" | sed -e 's/\s\+//g' -e 's/X/\\x/g'

The above command produces the following awesome Python3 byte string:
b'\xd4\xc3\xb2\xa1\x02\x00\x04\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xff\x00\x00\x01\x00\x00\x00\x65\x5c\x2a\x51\x21\xa6\x02\x00\x47\x00\x00\x00\x47\x00\x00\x00\x00\x12\xf2\xef\x8b\x00\x52\x54\x00\xdd\x00\x11\x08\x00\x45\x00\x00\x39\x9b\xc1\x00\x00\x40\x11\x8a\xc6\xac\x11\x98\x0b\x08\x08\x08\x08\xec\xee\x00\x35\x00\x25\x11\x16\x5d\x9d\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x03\x77\x77\x77\x03\x75\x67\x61\x03\x65\x64\x75\x00\x00\x01\x00\x01'